Manual Compaq Ipaq 3630 wireless security (page 23 of 30) (English)

35484

Zoom out

Zoom in

1/30

Wireless Security White Paper 23

Authentication

Infowave uses NTLM challenge/response authentication. Infowave sends no user information

over the link other than the encrypted NTLM token.

Authorization

Once it has authenticated the user, the Infowave server determines what resources the user is

authorized and licensed to access. The Infowave server grants or denies access to the Exchange

mailbox, for example. It also sends an authentication request back to the Infowave client

software. The authentication request is processed using the NTLM credentials cached on the

client device.

Encryption

For asymmetric encryption, Infowave uses the Elliptic Curve Cryptography (ECC) encryption

algorithm from the Certicom Security Builder toolkit. The Infowave server maintains a private

and public key pair that is generated on installation. Infowave clients know the server’s public key

and use it to perform the symmetric key exchange for all data transfers. ECC is significantly

faster than the standard RSA encryption algorithms, and is well suited to mobile devices. The

Wireless Business Engine is designed to support a number of different encryption algorithm

combinations. The Certicom ECC/DESX combination is the currently implemented algorithm

pair, but an arbitrary number of algorithms can be supported.

For symmetric encryption, Infowave uses DESX, a strengthened variant of the Data Encryption

Standard (DES) method of encryption that originated at IBM in 1977. Infowave randomly

generates a DESX symmetric key pair on each client every time the client logs on. This key pair

is used to encrypt session traffic.

Data Integrity

Infowave compresses, encrypts, and delivers data using its wireless protocol. The Infowave

server analyzes the data to determine the best compression algorithm. The combination of

encryption and compression ensures that data cannot be altered during transmission. If data shows

signs of having been altered, the receiving side of the exchange does not accept it.

Non-repudiation

If the Infowave client software falls into unfriendly hands, the attacker can gain knowledge only

of the Infowave server public key and the number of the access port. The breach of this

information is not critical. Without knowing the user’s Windows NT domain name, user ID, and

password, the attacker can get no further than the Infowave server. The Windows NT domain

name is combined with other information and encrypted with the server’s public key, which keeps

an attacker from impersonating a valid user.

Possible Security Problem

There may be a significant problem with Infowave security in that the client is not able to validate

the public key of the Infowave server (WBE). This implies vulnerability to a "man-in-the-middle"

attack where a client request is intercepted and then relayed to the server. The man in the middle

can then eavesdrop on the entire transmission.

According to Infowave, this design decision was made to support server public key download at

the cost of the potential security hole mentioned above. At the time the design was implemented,

the client-side libraries did not support signing of the server public key. This will be changed in

future versions.

Report abuse

Libble takes abuse of its services very seriously. We're committed to dealing with such abuse according to the laws in your country of residence. When you submit a report, we'll investigate it and take the appropriate action. We'll get back to you only if we require additional details or have more information to share.

Product:

Forumrules

To achieve meaningful questions, we apply the following rules:

First, read the manual;
Check if your question has been asked previously;
Try to ask your question as clearly as possible;
Did you already try to solve the problem? Please mention this;
Is your problem solved by a visitor then let him/her know in this forum;
To give a response to a question or answer, do not use this form but click on the button 'reply to this question';
Your question will be posted here and emailed to our subscribers. Therefore, avoid filling in personal details.

new questions and answers
new manuals

You will receive an email to register for one or both of the options.

Get your user manual by e-mail

Enter your email address to receive the manual of Compaq Ipaq 3630 wireless security in the language / languages: English as an attachment in your email.

The manual is 0,5 mb in size.

You will receive the manual in your email within minutes. If you have not received an email, then probably have entered the wrong email address or your mailbox is too full. In addition, it may be that your ISP may have a maximum size for emails to receive.

The manual is sent by email. Check your email

If you have not received an email with the manual within fifteen minutes, it may be that you have a entered a wrong email address or that your ISP has set a maximum size to receive email that is smaller than the size of the manual.

The email address you have provided is not correct.

Please check the email address and correct it.

Your question is posted on this page

Would you like to receive an email when new answers and questions are posted? Please enter your email address.

Info

Compaq Ipaq 3630 wireless security Manual

Product: